Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
2
Replies

NAT best practice with zone based firewall

Go to solution
ktravis02
Level 1
Level 1

‎01-30-2019 12:39 PM - edited ‎03-05-2019 11:13 AM

Good Day, I am configuring a new router and want to simplify the configuration as much as I can. It occurred to me that instead of limiting access with NAT specifying ports, that I do that already using the Zone Base Firewall access list. I should be able to just use ip nat inside source static IPAddress IPAddress. Does any one see any problem with doing so?

Thanks,

Ken

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-30-2019 12:51 PM

 

I have come across different opinions on this but personally I don't see a problem with it all. 

 

I tend to think of using ports in static translations when you do not have enough IP addresses rather than as a security feature because as you rightly say the security element is your access list not your NAT configuration. 

 

You could make the argument that using ports is a additional level of security because if you make a mistake in your access list you still are only allowing through certain ports but I don't really see that as a valid argument ie. you should not be relying on NAT at all as a security feature as that was never it's intended purpose. 

 

Others may disagree :) 

 

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-30-2019 12:51 PM

 

I have come across different opinions on this but personally I don't see a problem with it all. 

 

I tend to think of using ports in static translations when you do not have enough IP addresses rather than as a security feature because as you rightly say the security element is your access list not your NAT configuration. 

 

You could make the argument that using ports is a additional level of security because if you make a mistake in your access list you still are only allowing through certain ports but I don't really see that as a valid argument ie. you should not be relying on NAT at all as a security feature as that was never it's intended purpose. 

 

Others may disagree :) 

 

Jon

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎01-30-2019 01:48 PM

Hi,

I little agree with Jon but I am thinking that why would I allow for performing nat if it is really not required for a port? As example: I need only 443 port to be open but if anyone will trying to pull the traffic on 8080 then router must be translated it first into the required ip and after that will check for your ACL and zone based inspection.

 

It is wasted of router resources. 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card